diff --git a/security/pkix/lib/pkixnames.cpp b/security/pkix/lib/pkixnames.cpp
index 9f9d8e5a7f4a..44c972f8f337 100644
--- a/security/pkix/lib/pkixnames.cpp
+++ b/security/pkix/lib/pkixnames.cpp
@@ -54,14 +54,15 @@ namespace {
 //      registeredID                    [8]     OBJECT IDENTIFIER }
 MOZILLA_PKIX_ENUM_CLASS GeneralNameType : uint8_t
 {
-  // Note that these values are NOT contiguous because directoryName also
-  // has the der::CONSTRUCTED bit set.
-  otherName = der::CONTEXT_SPECIFIC | 0,
+  // Note that these values are NOT contiguous. Some values have the
+  // der::CONSTRUCTED bit set while others do not.
+  // (The der::CONSTRUCTED bit is for types where the value is a SEQUENCE.)
+  otherName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
   rfc822Name = der::CONTEXT_SPECIFIC | 1,
   dNSName = der::CONTEXT_SPECIFIC | 2,
-  x400Address = der::CONTEXT_SPECIFIC | 3,
+  x400Address = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3,
   directoryName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 4,
-  ediPartyName = der::CONTEXT_SPECIFIC | 5,
+  ediPartyName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 5,
   uniformResourceIdentifier = der::CONTEXT_SPECIFIC | 6,
   iPAddress = der::CONTEXT_SPECIFIC | 7,
   registeredID = der::CONTEXT_SPECIFIC | 8,
diff --git a/security/pkix/test/gtest/pkixnames_tests.cpp b/security/pkix/test/gtest/pkixnames_tests.cpp
index 061f3942cf02..cb89a4b89215 100644
--- a/security/pkix/test/gtest/pkixnames_tests.cpp
+++ b/security/pkix/test/gtest/pkixnames_tests.cpp
@@ -1438,6 +1438,17 @@ static const CheckCertHostnameParams CHECK_CERT_HOSTNAME_PARAMS[] =
   WITH_SAN(ipv4_mapped_ipv6_addr_str, RDN(CN("foo")),
            IPAddress(ipv4_addr_bytes),
            Result::ERROR_BAD_CERT_DOMAIN),
+
+  // Test that the presence of an otherName entry is handled appropriately.
+  // (The actual value of the otherName entry isn't important - that's not what
+  // we're testing here.)
+  WITH_SAN("example.com", ByteString(),
+           // The tag for otherName is CONTEXT_SPECIFIC | CONSTRUCTED | 0
+           TLV((2 << 6) | (1 << 5) | 0, ByteString()) + DNSName("example.com"),
+           Success),
+  WITH_SAN("example.com", ByteString(),
+           TLV((2 << 6) | (1 << 5) | 0, ByteString()),
+           Result::ERROR_BAD_CERT_DOMAIN),
 };
 
 ByteString